Argh! Has anyone else worked around this issue? I'll see about providing a patch.
doug On 8/3/11 5:05 PM, "Henry Saputra" <[email protected]> wrote: > Ah yes, looks like issue SHINDIG-1454 =( > I was trying it with REST call, sorry. > > However as issue SHINDIG-1455 mentioned, turning off Anonymous ST will > make osapi libs do not load properly. > > - Henry > > 2011/8/3 daviesd <[email protected]>: >> Hmmm... good observation. However, I switched them around, still no >> success... I wonder if this has to do with >> >> https://issues.apache.org/jira/browse/SHINDIG-1454 >> and >> https://issues.apache.org/jira/browse/SHINDIG-1455 >> >> doug >> >> On 8/3/11 4:34 PM, "Henry Saputra" <[email protected]> wrote: >> >>> Its happening in the code. See SocialApiGuiceModule class: >>> >>> public class SocialApiGuiceModule extends AbstractModule { >>> >>> ? /** {@inheritDoc} */ >>> ? @Override >>> ? protected void configure() { >>> >>> bind(ParameterFetcher.class).annotatedWith(Names.named("DataServiceServlet")>>> ) >>> ? ? ? ? .to(DataServiceServletFetcher.class); >>> >>> ? ? bind(Boolean.class) >>> >>> .annotatedWith(Names.named(AnonymousAuthenticationHandler.ALLOW_UNAUTHENTICA >>> TE >>> D)) >>> ? ? ? ? .toInstance(Boolean.TRUE); >>> >>> >>> Since the SocialApiGuiceModule is listed later than PropertiesModule, >>> it overrides the binding of the shindig.allowUnauthenticated property. >>> >>> - Henry >>> >>> On Wed, Aug 3, 2011 at 12:51 PM, daviesd <[email protected]> wrote: >>>> I¹m trying to figure out how to prohibit rpc calls (gadgets.metadata, etc.) >>>> from being made unless shindig.auth.updateSecurityToken has been called. >>>> ?If >>>> I enable secure tokens and I set the token to something in clear text, it >>>> denies the rpc requests as it should. ?Providing the encrypted token then >>>> works. ?However if I don¹t call updateSecurityToken at all then it uses the >>>> AnonymousSecurityToken and the call succeeds. ?I don¹t want this. >>>> >>>> I tried setting >>>> >>>> shindig.allowUnauthenticated=false >>>> >>>> In shindig.properties thinking this would enforce this, it appears to be >>>> used inside on AnonymousSecurityToken. >>>> >>>> Ideas? >>>> >>>> Doug >>>> >>>> >>> >> >> >> >
